<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/drivers/net/wireless/marvell, branch v4.9</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>mwifiex: printk() overflow with 32-byte SSIDs</title>
<updated>2016-11-17T11:16:52+00:00</updated>
<author>
<name>Brian Norris</name>
<email>briannorris@chromium.org</email>
</author>
<published>2016-11-09T02:28:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=fcd2042e8d36cf644bd2d69c26378d17158b17df'/>
<id>fcd2042e8d36cf644bd2d69c26378d17158b17df</id>
<content type='text'>
SSIDs aren't guaranteed to be 0-terminated. Let's cap the max length
when we print them out.

This can be easily noticed by connecting to a network with a 32-octet
SSID:

[ 3903.502925] mwifiex_pcie 0000:01:00.0: info: trying to associate to
'0123456789abcdef0123456789abcdef &lt;uninitialized mem&gt;' bssid
xx:xx:xx:xx:xx:xx

Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
Signed-off-by: Brian Norris &lt;briannorris@chromium.org&gt;
Cc: &lt;stable@vger.kernel.org&gt;
Acked-by: Amitkumar Karwar &lt;akarwar@marvell.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
SSIDs aren't guaranteed to be 0-terminated. Let's cap the max length
when we print them out.

This can be easily noticed by connecting to a network with a 32-octet
SSID:

[ 3903.502925] mwifiex_pcie 0000:01:00.0: info: trying to associate to
'0123456789abcdef0123456789abcdef &lt;uninitialized mem&gt;' bssid
xx:xx:xx:xx:xx:xx

Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
Signed-off-by: Brian Norris &lt;briannorris@chromium.org&gt;
Cc: &lt;stable@vger.kernel.org&gt;
Acked-by: Amitkumar Karwar &lt;akarwar@marvell.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>cfg80211: add ability to check DA/SA in A-MSDU decapsulation</title>
<updated>2016-10-12T07:19:10+00:00</updated>
<author>
<name>Johannes Berg</name>
<email>johannes.berg@intel.com</email>
</author>
<published>2016-10-05T14:17:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=8b935ee2ea17db720d70f6420f77f594c0c93f75'/>
<id>8b935ee2ea17db720d70f6420f77f594c0c93f75</id>
<content type='text'>
We should not accept arbitrary DA/SA inside A-MSDUs, it could be used
to circumvent protections, like allowing a station to send frames and
make them seem to come from somewhere else.

Add the necessary infrastructure in cfg80211 to allow such checks, in
further patches we'll start using them.

Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
We should not accept arbitrary DA/SA inside A-MSDUs, it could be used
to circumvent protections, like allowing a station to send frames and
make them seem to come from somewhere else.

Add the necessary infrastructure in cfg80211 to allow such checks, in
further patches we'll start using them.

Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>cfg80211: let ieee80211_amsdu_to_8023s() take only header-less SKB</title>
<updated>2016-10-12T07:19:10+00:00</updated>
<author>
<name>Johannes Berg</name>
<email>johannes.berg@intel.com</email>
</author>
<published>2016-10-05T13:29:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=7f6990c830f3e8d703f13d7963acf51936c52ad2'/>
<id>7f6990c830f3e8d703f13d7963acf51936c52ad2</id>
<content type='text'>
There's only a single case where has_80211_header is passed as true,
which is in mac80211. Given that there's only simple code that needs
to be done before calling it, export that function from cfg80211
instead and let mac80211 call it itself.

Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
There's only a single case where has_80211_header is passed as true,
which is in mac80211. Given that there's only simple code that needs
to be done before calling it, export that function from cfg80211
instead and let mac80211 call it itself.

Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mwifiex: code rearrangement in mwifiex_usb_host_to_card()</title>
<updated>2016-09-26T17:39:43+00:00</updated>
<author>
<name>Amitkumar Karwar</name>
<email>akarwar@marvell.com</email>
</author>
<published>2016-09-20T15:19:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=ac3b561721e946047eebbca73d8dcaee1cc9b302'/>
<id>ac3b561721e946047eebbca73d8dcaee1cc9b302</id>
<content type='text'>
This patch helps get rid of goto statement and improves readability.

Signed-off-by: Amitkumar Karwar &lt;akarwar@marvell.com&gt;
Signed-off-by: Cathy Luo &lt;cluo@marvell.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch helps get rid of goto statement and improves readability.

Signed-off-by: Amitkumar Karwar &lt;akarwar@marvell.com&gt;
Signed-off-by: Cathy Luo &lt;cluo@marvell.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mwifiex: fix race condition causing tx timeout</title>
<updated>2016-09-26T17:39:42+00:00</updated>
<author>
<name>Cathy Luo</name>
<email>cluo@marvell.com</email>
</author>
<published>2016-09-20T15:19:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=5476f8030d9a9f7082ba5a4d4f0a1bfbf6936800'/>
<id>5476f8030d9a9f7082ba5a4d4f0a1bfbf6936800</id>
<content type='text'>
It's been observed that in a corner case mwifiex_usb_tx_complete()
gets called before we exit from mwifiex_usb_host_to_card() after
submitting the urb. 'data_sent' flag remains set in this case. It
blocks further Tx packets and triggers watchdog timeout.

The problem is fixed by setting data_sent and port_block flag at
correct place.

Signed-off-by: Cathy Luo &lt;cluo@marvell.com&gt;
Signed-off-by: Shengzhen Li &lt;szli@marvell.com&gt;
Signed-off-by: Amitkumar Karwar &lt;akarwar@marvell.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
It's been observed that in a corner case mwifiex_usb_tx_complete()
gets called before we exit from mwifiex_usb_host_to_card() after
submitting the urb. 'data_sent' flag remains set in this case. It
blocks further Tx packets and triggers watchdog timeout.

The problem is fixed by setting data_sent and port_block flag at
correct place.

Signed-off-by: Cathy Luo &lt;cluo@marvell.com&gt;
Signed-off-by: Shengzhen Li &lt;szli@marvell.com&gt;
Signed-off-by: Amitkumar Karwar &lt;akarwar@marvell.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mwifiex: fix kernel crash for USB chipsets</title>
<updated>2016-09-26T17:39:41+00:00</updated>
<author>
<name>Cathy Luo</name>
<email>cluo@marvell.com</email>
</author>
<published>2016-09-20T15:19:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=1afac196c16753f93d482eedb9aeb802e740e67e'/>
<id>1afac196c16753f93d482eedb9aeb802e740e67e</id>
<content type='text'>
Following crash issue is observed during TCP traffic stress
test

[ 2253.625439] NMI watchdog: BUG: soft lockup - CPU#3 stuck for 22s!
[kworker/u17:1:5191]
[ 2253.625520] Call Trace:
[ 2253.625527]  [&lt;ffffffffc0b47030&gt;] ? moal_spin_lock+0x30/0x30
[usb8xxx]
[ 2253.625533]  [&lt;ffffffffc0ac3ceb&gt;] ? wlan_wmm_lists_empty+0xb/0xf0
[mlan]
[ 2253.625537]  [&lt;ffffffffc0ab0ea3&gt;] mlan_main_process+0x1b3/0x720
[mlan]
[ 2253.625540]  [&lt;ffffffffc0b337f5&gt;] woal_main_work_queue+0x45/0x80
[usb8xxx]
[ 2253.625543]  [&lt;ffffffff8108aaf0&gt;] process_one_work+0x150/0x3f0
[ 2253.625545]  [&lt;ffffffff8108b1e1&gt;] worker_thread+0x121/0x520
[ 2253.625547]  [&lt;ffffffff8108b0c0&gt;] ? rescuer_thread+0x330/0x330
[ 2253.625549]  [&lt;ffffffff81090222&gt;] kthread+0xd2/0xf0
[ 2253.625551]  [&lt;ffffffff81090150&gt;] ?
kthread_create_on_node+0x1c0/0x1c0
[ 2253.625553]  [&lt;ffffffff8179423c&gt;] ret_from_fork+0x7c/0xb0
[ 2253.625555]  [&lt;ffffffff81090150&gt;] ?
kthread_create_on_node+0x1c0/0x1c0

In mwifiex_usb_tx_complete(), we are updating port-&gt;block_status first
and then freeing the skb attached to that URB. We may end up attaching
new skb to URB in a corner case and same will be freed. This results in
the kernel crash. The problem is solved by changing the sequence.

Signed-off-by: Cathy Luo &lt;cluo@marvell.com&gt;
Signed-off-by: Shengzhen Li &lt;szli@marvell.com&gt;
Signed-off-by: Amitkumar Karwar &lt;akarwar@marvell.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Following crash issue is observed during TCP traffic stress
test

[ 2253.625439] NMI watchdog: BUG: soft lockup - CPU#3 stuck for 22s!
[kworker/u17:1:5191]
[ 2253.625520] Call Trace:
[ 2253.625527]  [&lt;ffffffffc0b47030&gt;] ? moal_spin_lock+0x30/0x30
[usb8xxx]
[ 2253.625533]  [&lt;ffffffffc0ac3ceb&gt;] ? wlan_wmm_lists_empty+0xb/0xf0
[mlan]
[ 2253.625537]  [&lt;ffffffffc0ab0ea3&gt;] mlan_main_process+0x1b3/0x720
[mlan]
[ 2253.625540]  [&lt;ffffffffc0b337f5&gt;] woal_main_work_queue+0x45/0x80
[usb8xxx]
[ 2253.625543]  [&lt;ffffffff8108aaf0&gt;] process_one_work+0x150/0x3f0
[ 2253.625545]  [&lt;ffffffff8108b1e1&gt;] worker_thread+0x121/0x520
[ 2253.625547]  [&lt;ffffffff8108b0c0&gt;] ? rescuer_thread+0x330/0x330
[ 2253.625549]  [&lt;ffffffff81090222&gt;] kthread+0xd2/0xf0
[ 2253.625551]  [&lt;ffffffff81090150&gt;] ?
kthread_create_on_node+0x1c0/0x1c0
[ 2253.625553]  [&lt;ffffffff8179423c&gt;] ret_from_fork+0x7c/0xb0
[ 2253.625555]  [&lt;ffffffff81090150&gt;] ?
kthread_create_on_node+0x1c0/0x1c0

In mwifiex_usb_tx_complete(), we are updating port-&gt;block_status first
and then freeing the skb attached to that URB. We may end up attaching
new skb to URB in a corner case and same will be freed. This results in
the kernel crash. The problem is solved by changing the sequence.

Signed-off-by: Cathy Luo &lt;cluo@marvell.com&gt;
Signed-off-by: Shengzhen Li &lt;szli@marvell.com&gt;
Signed-off-by: Amitkumar Karwar &lt;akarwar@marvell.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mwifiex: cfg80211 set_default_mgmt_key handler</title>
<updated>2016-09-26T15:19:42+00:00</updated>
<author>
<name>Ganapathi Bhat</name>
<email>gbhat@marvell.com</email>
</author>
<published>2016-09-20T13:16:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=89951db2be53106edbe0d24b3b5f9a787326daf6'/>
<id>89951db2be53106edbe0d24b3b5f9a787326daf6</id>
<content type='text'>
Previously device used to start using IGTK key as Tx key as soon as it
gets downloaded in add_key(). This patch implements set_default_mgmt_key
handler. We will update Tx key ID in set_default_mgmt_key().

Signed-off-by: Ganapathi Bhat &lt;gbhat@marvell.com&gt;
Signed-off-by: Amitkumar Karwar &lt;akarwar@marvell.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Previously device used to start using IGTK key as Tx key as soon as it
gets downloaded in add_key(). This patch implements set_default_mgmt_key
handler. We will update Tx key ID in set_default_mgmt_key().

Signed-off-by: Ganapathi Bhat &lt;gbhat@marvell.com&gt;
Signed-off-by: Amitkumar Karwar &lt;akarwar@marvell.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mwifiex: fix null pointer deference when adapter is null</title>
<updated>2016-09-17T15:26:32+00:00</updated>
<author>
<name>Colin Ian King</name>
<email>colin.king@canonical.com</email>
</author>
<published>2016-09-16T09:37:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=80ba4f1d365af206b9e818d17d22fed02fe5def0'/>
<id>80ba4f1d365af206b9e818d17d22fed02fe5def0</id>
<content type='text'>
If adapter is null the error exit path in mwifiex_shutdown_sw is
to down the semaphore sem and print some debug via mwifiex_dbg.
However, passing a NULL adapter to mwifiex_dbg causes a null
pointer deference when accessing adapter-&gt;dev.  This fix checks
for a null adapter at the start of the function and to exit
without the need to up the semaphore and we also skip the debug
to avoid the null pointer dereference.

Signed-off-by: Colin Ian King &lt;colin.king@canonical.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If adapter is null the error exit path in mwifiex_shutdown_sw is
to down the semaphore sem and print some debug via mwifiex_dbg.
However, passing a NULL adapter to mwifiex_dbg causes a null
pointer deference when accessing adapter-&gt;dev.  This fix checks
for a null adapter at the start of the function and to exit
without the need to up the semaphore and we also skip the debug
to avoid the null pointer dereference.

Signed-off-by: Colin Ian King &lt;colin.king@canonical.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mwifiex: fix error handling in mwifiex_create_custom_regdomain</title>
<updated>2016-09-17T15:25:57+00:00</updated>
<author>
<name>Bob Copeland</name>
<email>me@bobcopeland.com</email>
</author>
<published>2016-09-14T12:42:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=92ca4f92eca7aa362d51f7657d3fea47861600ee'/>
<id>92ca4f92eca7aa362d51f7657d3fea47861600ee</id>
<content type='text'>
smatch reports:

sta_cmdresp.c:1053 mwifiex_create_custom_regdomain() warn: possible memory leak of 'regd'

Indeed, mwifiex_create_custom_regdomain() returns NULL in the
case that channel is missing in the TLV without freeing regd.

Moreover, some other error paths in this function return ERR_PTR
values which are assigned without checking to the regd field in
the mwifiex_adapter struct.  The latter is only null-checked where
used.

Fix by freeing regd in the error path, and only update
priv-&gt;adapter-&gt;regd if the returned pointer is valid.

Cc: Amitkumar Karwar &lt;akarwar@marvell.com&gt;
Cc: Nishant Sarmukadam &lt;nishants@marvell.com&gt;
Signed-off-by: Bob Copeland &lt;me@bobcopeland.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
smatch reports:

sta_cmdresp.c:1053 mwifiex_create_custom_regdomain() warn: possible memory leak of 'regd'

Indeed, mwifiex_create_custom_regdomain() returns NULL in the
case that channel is missing in the TLV without freeing regd.

Moreover, some other error paths in this function return ERR_PTR
values which are assigned without checking to the regd field in
the mwifiex_adapter struct.  The latter is only null-checked where
used.

Fix by freeing regd in the error path, and only update
priv-&gt;adapter-&gt;regd if the returned pointer is valid.

Cc: Amitkumar Karwar &lt;akarwar@marvell.com&gt;
Cc: Nishant Sarmukadam &lt;nishants@marvell.com&gt;
Signed-off-by: Bob Copeland &lt;me@bobcopeland.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mwifiex: firmware name correction for usb8997 chipset</title>
<updated>2016-09-14T17:02:14+00:00</updated>
<author>
<name>Ganapathi Bhat</name>
<email>gbhat@marvell.com</email>
</author>
<published>2016-09-12T13:25:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=b7450e248d71067e0c1a09614cf3d7571f7e10fa'/>
<id>b7450e248d71067e0c1a09614cf3d7571f7e10fa</id>
<content type='text'>
Similar to pcie8997 chipset, first firmware submitted for usb8997
chipset will be usbusb8997_combo_v4.bin. This patch corrects the
name used in driver.

Signed-off-by: Ganapathi Bhat &lt;gbhat@marvell.com&gt;
Signed-off-by: Amitkumar Karwar &lt;akarwar@marvell.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Similar to pcie8997 chipset, first firmware submitted for usb8997
chipset will be usbusb8997_combo_v4.bin. This patch corrects the
name used in driver.

Signed-off-by: Ganapathi Bhat &lt;gbhat@marvell.com&gt;
Signed-off-by: Amitkumar Karwar &lt;akarwar@marvell.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
